Poor government security makes industry wary

by Stephen Barlas, Contributor

The annual review of government security practices shows several agencies still aren't improving. Experts are worried it could harm Homeland Security's ability to work with the private sector to stop cyberterrorism.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

on their cybersecurity efforts -- doesn't bode well for companies willing to share security data with the Department of Homeland Security or other government agencies.

To the extent that the report issued last week by the House Government Reform Committee heightens congressional and perhaps White House concern about a gaping hole in the defense against the war on terror, there may be some pressure on the Departments of Defense (DOD), Homeland Security (DHS), State and Justice to pay more attention to computer and IT security.

At the same time, those dismal grades may encourage many in the private sector to think twice about sharing information with DHS. John Sabo, director of security and privacy initiatives for Islandia, N.Y.-based CA Inc., said IT companies met as recently as three weeks ago with DHS officials about specific data security measures it must implement before the industry would be willing to share proprietary corporate IT infrastructure information.

"It is less likely that any significant volume of sensitive IT information sharing will go on if we believe that information cannot be protected," Sabo said.

The annual security scorecard is mandated by the Federal Information Security Management Act of 2002 (FISMA). It rates 24 agencies and departments based on information submitted by agency CIOs and inspectors general. Those reports use metrics related to such things as the percentage of information security systems reviewed, how many have been accredited and certified and how many have plans of action and milestones to address system weaknesses.

For the third year in a row, Davis gave the overall federal government a grade of D+. "None of us would accept D+ grades on our children's report Cards," he said. "We can't accept these either."

However, the DHS grade actually increased from 20.5 out of 100 in 2004 to 33.5 in 2005. But that was still an F and the department's poor showing can be attributed, according to a committee staffer, to poor configuration management, inadequate certification and accreditation and deficient annual testing of systems.

Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA) and a former DHS official, said the failing grades for national security agencies "doesn't bode well for the future." He said the White House Office of Management and Budget (OMB), which is responsible for ensuring FISMA compliance, lacks the necessary resources to do the job.

Drew Crockett, a spokesman for Davis, said OMB's capabilities will be evaluated, adding that Davis is not unsympathetic to the IT security challenges faced by DOD and DHS.

"These are massive agencies with complex problems," Crockett said. "DHS inherited old computer systems from the agencies it incorporated. But they must move forward. They are on the front lines in the war against terror."

At the hearing, Scott Charbo, CIO for DHS, insisted his agency was moving forward. For example, he said last year just 26% of systems were properly accredited for security, but now -- following the remediation project instituted last fall by DHS Secretary Michael Chertoff -- over 60% are accredited. The department has also started a new program to bring all legacy IT infrastructures under a single management program. "I am confident that the DHS Information Security Program is moving in the right direction," Charbo concluded.

Alan Paller, director of research at SANS Institute, said the results of the report card aren't as important as how the systems perform under more pointed analyses.

"How ready are government systems? Are they configured correctly? Do they have the latest patches? Are the filters in front of them up to date? Each of those questions can be answered in real-time without paying millions to consultants to write reports that will never be read" Paller said via e-mail.

CA's Sabo explained others have voiced similar criticisms of FISMA in the past. But he emphasized that the transparency provided by the FISMA reports is very important. He gave Davis considerable credit for holding the federal government's feet to the fire on IT security.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy